speccy icon indicating copy to clipboard operation
speccy copied to clipboard

Published 20 hours ago verified publisher icon wework

Update redoc min version because of a critical vulnerability in dompurify

Open HeyRatFans opened this issue 4 years ago • 7 comments

Detailed description

npm audit reports the following critical vulnerability in dompurify as used by redoc.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dompurify                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ redoc                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ redoc > dompurify                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1205                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dompurify                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ redoc                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ redoc > dompurify                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1223                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Updating to [email protected] or newer will update dompurify and fix the vulnerability

HeyRatFans avatar Feb 05 '20 14:02 HeyRatFans

@MikeRalphson @djtarazona any chance this could be fixed and released soon?

pkuczynski avatar Feb 15 '20 21:02 pkuczynski

I have no commit rights to this repository, and believe it is de facto unmaintained.

MikeRalphson avatar Feb 16 '20 09:02 MikeRalphson

Thats really a shame :/

pkuczynski avatar Feb 17 '20 10:02 pkuczynski

Maintained projects:

  • https://github.com/Mermade/oas-kit/blob/master/packages/swagger2openapi/README.md
  • https://github.com/Redocly/redoc/blob/master/cli/README.md
  • https://github.com/stoplightio/spectral

MikeRalphson avatar Feb 17 '20 10:02 MikeRalphson

I ended up using spectral although they have a quite annoying issue at the moment https://github.com/stoplightio/spectral/issues/955

pkuczynski avatar Feb 18 '20 22:02 pkuczynski

Such a shame this is abandoned :(

@MikeRalphson @pkuczynski do you guys have any suggestions for compiling multiple swagger docs into a single file? My work maintains an API and the swagger documentation for it is maintained in separate files, one for each endpoint. Obviously this helps with maintaining the files, but makes swagger very slow on initial load which is rather unbearable.

Thanks!

HeyRatFans avatar Mar 07 '20 17:03 HeyRatFans

@heyratfans oas-kit as above or https://github.com/APIDevTools/json-schema-ref-parser

MikeRalphson avatar Mar 07 '20 18:03 MikeRalphson